FBI still wants two years of ISP Web logs

The FBI wants ISPs to log their subscribers' source and destination addresses …

Largely at the behest of the European Union, search engines like Google, Microsoft, and Yahoo have cut their data retention periods over the last few years. Now, all those sensitive search queries you make will be anonymized in a matter of months—Yahoo will do so after 90 days, Microsoft will remove all IP addresses after six months, and Google anonymizes IP addresses after nine months. Europe has decided that six months should be the limit.

But the US continues its push to make ISPs and other Internet companies keep data longer than they do now, hoping to have access to two full years of records at any given time.

CNET attended a meeting of the Online Safety and Technology Working Group in DC last week, and reports that the FBI is still pushing for ISPs to create and retain logs of Web visits for two full years. The idea is to have the resources needed to bust those accessing child porn URLs, though the information would be of limited value; the FBI wants only "origin and destination" addresses, not the contents of pages or information entered on those pages.

It's not surprising, given the fact that FBI head Robert Mueller was also head of the Bureau back in 2006, when he asked for the same thing. Under the previous administration, the Department of Justice used to make similar proposals on a regular basis, though current Attorney General Eric Holder doesn't seem quite as concerned with the issue.

The two-year data retention request has remained consistent over the last four years, even as the Europeans have tightened up many of their data retention policies. That might be, in part, because the US has no equivalent to the EU's Article 29 Working Group, made of of national data privacy commissioners; here, the push for privacy comes largely from nonprofits outside the government, not from within.

But Europe does face conflicts between its privacy advocates and law enforcement, instructive to consider since the EU is ahead (in a temporal sense) of the US on these issues. While the Article 29 group pushes Internet companies to retain data for no more than six months, the 2006 EU Data Retention Directive requires ISPs and Internet companies to retain certain kinds of data for six months to 24 months. The rule has to be made into law by each EU member state, and was to be fully in place by the end of 2009. Each state can choose whatever retention period it likes best, and can even go beyond two years if desired. (Much like the FBI's request, the EU rule requires source and destination information, but not the actual contents of communications.)

The US has not adopted either comprehensive data privacy or data retention legislation. The FBI has not been shy about making its views on the matter heard, but the fact that four years have passed without Congress giving the Bureau what it wants shows what a low priority the matter remains.